Anti-tamper (“AT”) protection is employed so that it is very difficult to reverse engineer or alter the function of electronic hardware (e.g., computer processors, integrated circuits, multi-chip modules, etc). For some commercial applications, designers often spend vast sums of money to develop a “next generation” circuit. These companies often wish to deter, or at least hamper a competitor's reverse engineering efforts. The motivation in this case is to protect valuable intellectual property. Military and Government users also have a strong interest in AT protection. When new military hardware is fielded, often the consequences of capture are not fully understood by the designer of the hardware. Similarly, the combat loss of any one of a thousand pieces of sensitive, high-tech military hardware could do irreparable damage to national security.
Most AT is categorized as either passive or active. In each case, the intent is to delay, prevent or stop tampering and potential reverse engineering of an electronic circuit. Passive AT is currently the most widespread method of deterring an opponent from reverse engineering or spoofing an electronic circuit. Current passive AT arrangements include encapsulation or various types of conformal coatings such as epoxies. Methods to defeat common encapsulants are well documented.
AT standards have been defined according to the Federal Information Protection Standard (FIPS) 140-2. The standard describes the requirements for four levels of protection. For the standards for multi-chip, embedded modules, Level 1 calls for standard passivation techniques (i.e., a sealing coat applied over the chip circuitry to protect it against environmental or other physical damage). The standard describes that Level 2 can be achieved using anti-tamper coatings or passive AT. Level 3 may use passive AT if tampering will likely destroy the module. Level 4 requires the use of active AT technologies.
Layered anti-tamper arrangements are also employed in which alternating layers of passive AT with active AT yields a synergy in probing difficulty. With active AT methods, a protected circuit will take some action when unauthorized activities are detected. Any number of events can trigger a programmed circuit response. Examples of active triggering arrangements include: voltage, photon detection, acceleration, strain, thermal, chemical attack, and proximity or tamper-respondent enclosures. A tamper-respondent package can theoretically detect probing by proximity detection or by an external activity mutilating an active circuit, exterior to what is being protected. The response of an active AT circuit upon triggering is also widely variable. For example, zeroization may be employed in which critical memory cells or an entire die can be erased. Similarly, a response can trigger overwriting of some or all of a memory die. Another detection response is to physically obliterate a critical circuit element or elements.